In July 2017, we added an important release to our service provider portfolio. It extended the reach of the Next-Generation Security Platform to inspect the network tunnels that traverse mobile networks. Defined by the 3GPP mobile standards body, GPRS Tunneling Protocol tunnels are used in all mobile networks.
GTP tunnels build the veins and arteries of the mobile network, reaching from the mobile device through the radio access network and onto the packet core of the network. They even extend beyond the network boundary to connect third-party roaming partner networks. While there are different release versions, there are two primary types of GTP tunnels: control and user. Control tunnels are used to establish and maintain communication. User tunnels carry customer data.
The use of these tunnels has not been lost on those who have malicious intent. Both the control and user tunnels create opportunities to disrupt or extort. The data tunnels provide a highway for malware to traverse the network undetected – the mobile handset being the obvious target. Google Android is the most widely deployed mobile device operating system and the focus for many malware developers. Faketoken and SpyDealer are two recent examples, designed to silently install on Android devices to collect personal data, record phone calls, control cameras and make purchases via applications. The resulting implications are wide.
GTP control tunnel vulnerabilities are less obvious but equally potent. Many risks focus on triggering behavior that overloads network signaling. Every device connected to the network is dependent on correctly functioning signaling processes. If signaling is disrupted or overloaded, service disruption can take place. Service disruption could be network-wide. Signaling threats can be subtle, with objectives that are difficult to detect. The more a device needs to make or respond to a signaling request, the more battery power is required. In the evolving IoT world, batteries are being asked to support devices over many years. Change the behavior of the signaling level, and these devices could be rendered useless within a fraction of their intended life span. The result could be a much shorter replacement cycle, with the associated cost to replace devices.
This is where Palo Alto Networks can make the difference. We can look deep inside the GTP control and user tunnels to ensure the protocols are behaving correctly, determine if signaling requests are legitimate, and inspect the data for threats and malware. If a device shows indicators of compromise, our platform can use signaling information to identify the SIM card and handset hardware number to allow the operator to apply a prevention strategy. The opportunity is to protect the customer and, ultimately, their own network. The platform can be positioned strategically in the network to inspect the GTP tunnels at key points in the network – for example, the radio access network – to look for threats from user devices. It can also protect at the roaming interconnection point, where operators connect.
It’s worth noting that as we developed this functionality, European regulators had their own strategic plan. Many had become frustrated by the mobile roaming costs across Europe, concerned about inflated rates to roam within the European Economic Area, or EEA. Consumers complained throughout the summer about returning home from holidays to large mobile phone bills when a game or application had consumed a large volume of data and generated an expensive bill. Terms and conditions meant they had no option but to pay. Stories like these encouraged self-regulation, and some consumers disabled mobile roaming, searching for reliable Wi-Fi as soon as they took their devices out for use. The result was low data roaming between mobile operators.
On June 15, European regulatory authorities abolished charges for temporary roaming within the EEA, promoting the change as “Roam Like at Home.” Tariffs in one’s home country now applied across Europe. Millions of European travelers were liberated. Unlimited mobile phone data packages now apply across Europe. The impact has been significant. Wi-Fi is no longer as important. 4G is often as good as or better than Wi-Fi. For many mobile operators, the data being transferred across mobile operator roaming exchanges has exploded.
What this means for operators is that a once relatively easy-to-manage part of their network has suddenly become more complex. The step change in roaming traffic has surprised many operators. It is likely that the traffic growth will continue as customers become accustomed to the new rules. It is equally likely that an increase in roaming traffic will change the threat landscape. Those who want to damage the reputation of the operator now have a new point of attack. Service disruption to the roaming network could now impact a lot more customers and have greater implications.
The timing of the European regulatory changes with the introduction of new Palo Alto Networks mobile security functionality was purely coincidental, but it could be serendipitous if it can be used to protect an increasingly critical point in the mobile network.
For more information on Palo Alto Networks advanced GTP features for service providers, download the white paper “Extended Application-Layer Visibility Across Multiple Mobile Network Peering Points.”